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Abstract 

In  this  paper  we  present  a  result  towards  the  conjectured  nonex¬ 
istence  of  homogeneous  rotation  symmetric  bent  functions  having  de¬ 
gree  >  2. 
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1  Introduction 

The  class  of  rotation  symmetric  Boolean  functions  (RSBFs)  has  received  a 
lot  of  attention  from  a  combinatorial  and  cryptographic  perspective  [1,  2, 
4,  5,  9,  10,  11,  14,  15,  3].  The  initial  study  on  the  nonlinearity  of  these 
functions  was  done  in  [4],  where  nonlinearity  was  the  main  focus.  Later 
on,  the  nonlinearity  and  correlation  immunity  of  such  functions  have  been 
studied  in  detail  in  [1,  5,  9,  10,  14,  15].  Applications  of  such  functions  in 

hashing  has  also  been  investigated  [11].  The  set  of  RSBFs  are  interesting 

2n 

to  look  into  as  the  space  is  much  smaller  (~  2  fr )  than  the  total  space 
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of  Boolean  functions  (22")  and  the  set  contains  functions  with  very  good 
cryptographic  properties.  It  has  been  experimentally  demonstrated  that 
there  are  functions  in  this  class  which  are  good  in  terms  of  balancedness, 
nonlinearity,  correlation  immunity,  algebraic  degree  and  algebraic  immunity 
(resistance  against  algebraic  attack)  [3]  at  the  same  time. 

It  is  interesting  to  note  that  the  famous  Patterson-Wiedemann  func¬ 
tions  [PW83]  that  achieve  nonlinearity  16276  (strictly  greater  than  non¬ 
linearity  215-1  —  2^15”1^/2  obtained  by  bent  functions  concatenation)  in  15 
variables  are  in  fact  rotation  symmetric.  Moreover,  Kavut  et  al.  [6,  7,  8] 
proved  that  there  exist  rotation  symmetric  functions  in  9  variables  having 
nonlinearity  241  and  242  (which  is  also  strictly  greater  than  the  bent  con¬ 
catenation  nonlinearity  29^1  —  2^9_1-)/2),  which  was  rather  surprising  and 
gives  further  motivation  for  the  rotation  symmetric  Boolean  functions  in¬ 
vestigation. 

Regarding,  the  combinatorial  structure  of  these  functions,  Stanica  et 
al.  [15]  showed  that  the  Walsh  spectra  of  RSBFs  give  rise  to  a  certain  ma¬ 
trix  with  interesting  combinatorial  properties  that  helps  in  fast  calculations 
of  different  cryptographic  properties  of  these  functions.  Later  this  matrix 
has  been  studied  in  detail  in  [9,  10]  for  odd  number  of  variables  and  new 
structures  have  been  discovered.  However,  the  problem  remained  open  for 
even  variable  case. 

It  is  well  known  that  bent  functions  only  exist  on  even  number  of  vari¬ 
ables  [12],  The  rotation  symmetric  bent  functions  have  been  studied  in 
detail  in  [1,  4,  15,  14].  Here,  we  present  a  large  class  of  homogeneous  RSBFs 
which  are  not  bent.  This  partially  answers  the  conjecture  presented  in  [14]. 

1.1  Preliminaries 

A  Boolean  function  f  on  n  variables  may  be  viewed  as  a  mapping  from 
F?j  =  {0)  l}n  into  the  two-element  field  F2;  it  can  also  be  interpreted  as 
the  output  column  of  its  truth  table  /,  that  is,  a  binary  string  of  length  2n, 
/  =  [/( 0,0,--- , 0) , /(l, 0,  -  -  -  , 0) ,...,/( 1 , 1 ,  -  -  -  ,1)]. 

The  Hamming  distance  between  Si,  S2  is  denoted  by  d(S\,  S2)  =  #(<Si  / 
S2).  Also  the  Hamming  weight  or  simply  the  weight  of  a  binary  string  S  is 
the  number  of  ones  in  S.  This  is  denoted  by  wt(S).  An  n- variable  function 
/  is  said  to  be  balanced  if  its  output  column  in  the  truth  table  contains  equal 
number  of  0’s  and  l’s  (i.e.,  wt(f)  =  2n_1). 

The  addition  operator  over  F2  is  denoted  by  ©.  An  n- variable  Boolean 
function  /  can  be  considered  to  be  a  multivariate  polynomial  over  F2.  This 
polynomial  can  be  expressed  as  a  sum  of  products  representation  of  all 
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distinct  k-th  order  products  (0  <  k  <  n)  of  the  variables.  More  precisely, 
f(x i, . . . ,  xn)  can  be  written  as 

«0®  0  <HXi  ©  (J)  OijXiXj  ©  ...  ©  a12...nxix2  ...xn, 

l<i<n 

where  the  coefficients  ao,  atj,  ■  ■  ■ ,  ai2...n  £  {0, 1}.  This  representation  of  /  is 
called  the  algebraic  normal  form  (ANF)  of  /.  The  number  of  variables  in  the 
highest  order  product  term  with  nonzero  coefficient  is  called  the  algebraic 
degree ,  or  simply  the  degree  of  /  and  denoted  by  deg(f).  A  Boolean  function 
is  said  to  be  homogeneous  if  its  ANF  contains  terms  of  the  same  degree  only. 

Functions  of  degree  at  most  one  are  called  affine  functions.  An  affine 
function  with  constant  term  equal  to  zero  is  called  a  linear  function.  The 
set  of  all  n-variable  affine  (respectively  linear)  functions  is  denoted  by  A{n) 
(respectively  L(n)).  The  nonlinearity  of  an  n-variable  function  /  is 

Nf=  mj  n(d(f,g)), 

g&A(n) 

i.e. ,  the  distance  from  the  set  of  all  n-variable  affine  functions. 

Let  x  =  (xi, . . .  ,xn)  and  uj  =  (uq, . . . , ujn)  both  belonging  to  FI)  and 
x  ■  lo  =  x\uj\  ©  ...  ©  xnujn.  Let  f(x)  be  a  Boolean  function  on  n  variables. 
Then  the  Walsh  transform  of  f(x)  is  a  real  valued  function  over  F?)  which 
is  defined  as 

Wf(u)  =  J2 

x£F% 

In  terms  of  Walsh  spectra,  the  nonlinearity  of  /  is  given  by 
Nt  =  2n~1  —  -  max  \Wf(u)\. 

Let  Xi  £  F2  for  1  <  i  <  n.  For  1  <  k  <  n,  we  define  the  permutation 
Pn(xi )  as  Pn(xi)  =  Xi+k,  if  i  +  k  <  n  and  p^{xi )  =  .Tj+fc_n,  if  i  +  k  >  n.  For 
(xi,X2,  •  ■  •  ,xn)  €  F2,  we  extend  the  definition  by  p%(x i,x2,  ■  ■  ■  ,xn-i,xn)  = 
(Pn(x\) ,  Pn(x2) ,  •  •  • ,  Pn(xn-\ ) ,  p\ (xn) ) .  Hence,  p*f  acts  as  /c-cyclic  rotation  on 
an  ?7,-bit  vector. 

Definition  1.  A  Boolean  function  f  is  called  rotation  symmetric  if  for  each 
input  (aq, . . . ,  xn)  G  F2 , 

f{Pn(x  1,  •  •  -,Xn))  =  f(x  1, . . .  ,xn)  for  1  <  k  <  n. 
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That  is,  the  rotation  symmetric  Boolean  functions  are  invariant  under 
cyclic  rotation  of  inputs.  The  inputs  of  a  rotation  symmetric  Boolean  func¬ 
tion  can  be  divided  into  partitions  so  that  each  partition  consists  of  all 
cyclic  shifts  of  one  input.  A  partition  is  generated  by  Gn(x i,X2,  •  •  • ,  xn)  = 
{Pn(x i,X2,  •  •  • ,  xn)\l  <  k  <  n}  and  the  number  of  such  partitions  is  denoted 
by  gn.  Thus  the  number  of  n-variable  RSBFs  is  29n.  Let  (j>(k)  be  Euler’s 
/Ad-function,  then  it  can  be  shown  by  Burnside’s  lemma  that  (see  [14]) 
9n  =  ^Efc|n^(fc)2t- 

By  gn,w  we  denote  the  number  of  partitions  with  weight  w.  For  the 
formula  of  how  to  calculate  gUtW  for  arbitrary  n  and  w,  we  refer  to  [14,  9,  10]. 

A  partition,  or  group ,  is  completely  determined  by  its  representative  el¬ 
ement  An  j,  which  is  the  lexicographically  first  element  belonging  to  the 
group  [15].  These  representative  elements  are  again  arranged  lexicograph¬ 
ically.  The  rotation  symmetric  truth  table  (RSTT)  is  defined  as  the  r/n-bit 
string  [/(Anj0),/(Anji), . . . ,  /(ABiJn_j)]. 


2  The  Result 

Construction  and  enumeration  of  bent  RSBFs  have  been  studied  in  [4,  14, 
15,  1].  In  [14],  it  has  conjectured  that  there  are  no  homogeneous  bent  RSBFs 
of  degree  greater  than  two.  Some  partial  result  in  this  direction  has  been 
presented  in  [15,  Theorem  5].  Here  we  will  present  another  approach  which 
provides  a  different  insight  into  this  problem.  Let  us  now  recall  [16,  Theorem 
30]. 

Theorem  1  (Zheng-Zhang-Imai  [16]).  Let  f  be  a  function  on  F.”  and  J  be  a 
subset  of  {1,2, ... ,  n}  such  that  f  does  not  contain  any  term  Xj1  ■  ■  ■  Xjt  where 
t  >  1  and  j i , . . .  ,jt  €  J .  Then  the  nonlinearity  of  f ,  Nf  <  2n_1  —  2s-1, 
where  s  =  |  J\ . 

As  an  example,  take  an  8-variable  RSBF  /  having  SANF  X1X2X3,  i.e., 
the  algebraic  normal  form  X1X2X3  ©  X2X3X4  ©  X3X4X5  ©  x^x^xq  ©  X5XQX7  © 
XQX7Xs®X7XsXi®xsXiX2 ■  Refer  to  [15,  Section  3]  for  the  definition  of  Short 
Algebraic  Normal  Form  (SANF).  Let  J  =  {1,2,4,  5,7}  as  in  the  previous 
theorem.  It  is  easy  to  see  that  there  is  no  term  in  /  with  all  indices  from  J. 
Since  |  J\  =  5,  it  follows  that  the  nonlinearity  <  27  —  24  =  128  —  16  =  112; 
in  reality,  the  nonlinearity  is  80. 

Next,  we  present  our  main  result  which  gives  more  insight  to  the  men¬ 
tioned  conjecture  than  [15,  Theorem  5].  Theorem  2 (iii)  supports  the  con¬ 
jecture  presented  in  [14]  for  a  large  class  of  homogeneous  RSBFs.  For 
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a  homogeneous  degree  d  RSBF  /  with  its  SANF  given  by  where 

i= 1 

Pi  =  x  (i)X  (i)  ■  ■  ■  x  (*)  (note  that  is  1  for  all  i),  we  define  a  sequence  d^, 

j  =  1,2, .. . ,  by  —  kjL\  Let  df  =  maxjj{d^},  that  is,  the 

largest  distance  between  two  consecutive  indices  in  all  monomials  of  /. 

Theorem  2.  The  following  hold  for  a  homogeneous  RSBF  f  of  degree  d  >  3 
in  n  variables: 

(i)  If  the  SANF  of  f  is  x  1  . . .  Xd,  then  f  is  not  bent. 

(ii)  If  the  SANF  of  f  is  aqaq  ■  ■  ■  Xd-iXd  ©  X\X2  .  .  ■  Xd-iXd+i,  then  f  is  not 
bent,  assuming:  if  n  ^  1  (mode?);  f  >  |_5_l’  tf  n  =  1 

(mod  d). 

(Hi)  In  general,  if  df  <  then  f  is  not  bent. 

Proof.  It  is  easy  to  check  the  claim  for  n  =  6.  Now  we  consider  d  >  3  and 
n  >  8. 

Take  the  rotation  symmetric  Boolean  function  /  with  SANF  aqaq  ■  ■  ■  Xd- 
Assume  first  that  n  ^  0  (mod  d).  Let  J  =  {1,2, . . . ,  d— 1,  d+1,  d+2, . . . ,  2d— 
1,  2d  + 1, ... ,  [n/d\d—l,  [n/d\d+ 1, . . . ,  n  —  1}.  Since  /  is  homogeneous  and 
there  are  no  d  consecutive  indices  (assume  xn+\  :=  aq,  etc.),  as  required  by 
the  terms  of  /,  it  follows  that  the  set  J  satisfies  the  conditions  of  Theorem  1. 
To  find  the  number  of  elements  of  J,  we  count  the  missing  indices,  obtaining 
|  J\  =  n  —  \  n/d\  —  1.  Thus,  Nf  <  2n~1  —  2n-Ln/dJ-2.  Since  d  >  3  and  n>  8, 
then  |n/c?J  +  1  <  |_n/3j  +  1  <  n/3  +  1  <  n/2.  Therefore,  n  —  [n/d\  —  2  > 
n/ 2  —  1,  which  implies  Nf  <  2n_1  —  2n/2-1,  so  /  is  not  bent. 

If  n  =  0  (mod  d),  take  J  =  {1, 2, . . . ,  d  —  1,  d  +  1,  d  +  2, . . . ,  2o?  —  1,  2d  + 
1, . . . ,  |_n/c?Jc?  —  1  =  n  —  1},  with  \J\  =  n  —  n/d.  Thus,  Nf  <  2n~1  — 
2n~ \n/d\—i  <  2n”1  —  2n/2-1,  so  /  is  not  bent,  in  this  case,  as  well. 

We  prove  next  claim  (ii)  for  the  homogeneous  rotation  symmetric  Boolean 
function  /  with  SANF  aqaq  . . .  Xd  ©  aqaq  •  •  •  a^-i-  Assume  that  n  ^  0, 1 
(mod  c?).  Take  J  =  {1,  2, . . . ,  d  —  1,  d  +  2, ... ,  [n/d\d—  1,  [n-/djd  +  2, . . . ,  n  — 
2},  which  satisfies  Theorem  1,  since  there  are  no  d  consecutive  indices  with  a 
gap  of  length  2.  By  counting  missing  indices,  we  obtain  |  J\  =  n  —  2[n/d\  —1, 
therefore  Nf  <  2n-i_2™-2KdJ-2  <  2n-l-2n/‘2~1 ,  ifn/2-1  <  n-2[n/dJ-2, 
which  is  equivalent  to  n  >  4[n/dJ  +2. 

Next,  assume  that  n  =  0  (mod  d),  respectively,  n  =  1  (mod  d).  In  these 
cases,  take  Jo  =  {2, . . . ,  d  —  1,  d  +  2, . . . ,  [n/d\  d  —  1  =  n  —  1},  respectively, 
J\  =  {1, 2, . . . ,  d  —  1,  d  +  2, . . . ,  \n/d\d  —  1  =  n  —  2}.  Both  Jo,  Ji  satisfy 
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Theorem  1  and  as  before,  counting  missing  indices,  we  obtain  |  Jq|  =  n  — 
2[n/d\  —  1  and  J\  =  n  —  2[n/d\.  It  follows  that,  under  n  =  0  (mod  d), 
Nf  <  2"-1  -  2n-2Ln/dJ-2  <  2n~1  -  2n/2-1,  if  n/2  -  1  <  n-  2[n/d\  -  2, 
which  is  equivalent  to  n  >  4|_n/dJ  +2.  Also,  under  n  =  1  (mod  d),  Nf  < 
2n~1  _  2n-2Ln/dJ-i  <  2n_1  -  2n/2“i,  if  n/2  -  1  <  n  -  2[n/dJ  -  1,  which  is 
equivalent  to  n  >  4|_n/dJ. 

We  prove  now  claim  (in).  If  df  =  1,  it  follows  that  /  is  generated  by 
x i  x'2  •  •  •  Xd,  and  the  result  follows  from  part  (■ i ).  Assume  that  df  >  2. 

Case  1.  n  =  ko  (mod  d).  ko  >  df.  We  use  once  again  Theorem  1.  Take 
J\  =  {df,df  +  l,...,d—l,d  +  df,d  +  df  +  l,...,d\n/d\  — 1  =  n  —  ko  — 
1,  d[n/d\  +  df, . . .  ,n  —  1}. 

Case  2.  n  =  ko  (mod  d),  0  <  ko  <  df.  Take  J2  =  {df  —  ko,df  —  ko  + 
1, . . . ,  d  —  1,  d  +  df,  d  +  df  +  1, . . . ,  d[n/d\  —  1  =  n  —  ko  —  1}. 

Both  Ji,  J2  satisfy  the  conditions  of  Theorem  1  and  |  J\\  =  n  —  df[n/d\  — 
1,  IJ2I  =  n  —  df  [n/d\.  Therefore,  in  Case  1,  Nf  <  2n~l  —  2n_d/Ln/dJ“2  < 
2n_1  —  2n/2-1,  with  the  last  inequality  holding  if  and  only  if  n/2  —  1  < 
n  —  df\n/d\  —2.  The  last  inequality  follows  from  our  imposed  condition 


In  Case  2,  Nf  <  2n“x  -  2n~df^d^1  <  2""1  -  2"/2”1,  with  the  last 
inequality  holding  if  and  only  if  n/2  —  1  <  n  —  df\n/d\  —  1.  The  last 
inequality  follows  from  df  <  □ 
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